1. Field of the Invention
This invention relates to monitoring telecommunication systems, and more specifically, to an apparatus and method for detecting potentially fraudulent telecommunication system usage. Telecommunication systems include both wireless systems (e.g., cellular telephones, satellite transmission, etc.) and systems utilizing transmission lines (e.g., common telephone systems). Fraudulent telecommunication activity is unauthorized usage for which the telecommunication system owner is not paid for its services. The invention also relates to credit based management of telecommunication systems.
2. Description of the Related Art
Because immediate access to information has become a necessity in virtually all fields of endeavorxe2x80x94including business, finance and sciencexe2x80x94telecommunication systems usage, particularly for wireless telecommunication systems, is increasing at a substantial rate. With the increase in overall usage, however, the incidence of fraudulent usage has experienced a corresponding increase. It is estimated, for example, that fraudulent wireless telecommunication system usage is responsible for losses to the wireless telecommunication industry of $600 million each year. Clearly, a system for detecting and preventing such fraudulent activity would be highly desirable.
Fraudulent telecommunication activity, which may occur both in wireless and common telephone systems, has several different varieties. Among these varieties are cloning fraud, tumbling fraud, tumbling-clone fraud, calling card fraud, and subscriber fraud.
Cloning fraud, which occurs in cellular telephone systems, involves the misappropriation of a valid set of subscriber identification numbers (ID), programming the ID into one or more cellular telephones, and then using the xe2x80x9cclonedxe2x80x9d cellular telephones to place calls which are billed to the subscriber whose ID was misappropriated.
Tumbling fraud involves placing cellular telephone calls using a different randomly generated subscriber ID for each telephone call placed. Under certain circumstances no pre-call verification of the ID number is performed before the call is connected. Therefore, a fraudulent user may place calls even without possession of a valid subscriber ID. In this way, for example, 50 fraudulent calls placed by a single fraudulent user will be billed to 50 different subscriber IDs, most of which will be unassigned and unbillable, rather than to a single subscriber as in the case of cloning fraud.
Tumbling-Clone fraud, as the name suggests, is a hybrid of tumbling fraud and cloning fraud which involves placing cellular telephone calls using a plurality of cloned subscriber IDs. For example, a tumbling-clone cellular telephone may have a sequence of 10 different cloned subscriber IDs programmed into it. With each successive call placed by the fraudulent user, the cellular telephone would use the cloned subscriber ID next in sequence to initiate the call. In this way, the fraudulent calls would equally be dispersed over 10 different subscriber IDs, consequently making the fraudulent activity more difficult to detect.
Calling card fraud involves the misappropriation of a valid calling card number and then using the misappropriated number to place toll calls which are billed to an unsuspecting subscriber.
Subscriber fraud, which may occur in either cellular telephone or common telephone systems, involves fraudulent usage by an otherwise legitimate subscriber. Typically, this type of fraud is experienced when a subscriber signs up for telecommunication services, either cellular or calling card, and proceeds to use the telecommunication services with no intent of ever paying for the services provided. A user practicing subscriber fraud would continue to use the services without paying until system access was blocked by the service provider.
Although a number of prior fraud detection and prevention systems have been suggested, all have proved inadequate for various reasons. One proposed solution involves setting a predetermined number as a system-wide threshold for the number of cellular calls that may be placed by an individual subscriber in one day; when the predetermined number is exceeded, the method indicates that fraud has occurred. The system-wide threshold method, however, has several drawbacks. For example, this method applies the same threshold to every user. Typically, a high-volume subscriber such as a stockbroker may regularly place a large volume of calls each day in the normal course of business, whereas a low-volume subscriber who maintains a cellular telephone primarily for emergency usage may only place a few calls each week. The system-wide threshold method would be inadequate for each of these users, because it would generate a false alert for the high-volume subscriber who happens to legitimately exceed the threshold on a given day, while, incorrectly, no alert would be generated for the fraudulent use of the low-volume subscriber ID, as long as the threshold was not exceeded. Moreover, the system-wide threshold method is easily defeated by a fraudulent user who is aware of the predetermined threshold and takes care to limit the number of fraudulent calls placed to a number less than the threshold.
Another method, referred to as xe2x80x9ccall numbering,xe2x80x9d has been proposed to detect fraudulent cellular telephone calls, wherein a predetermined sequence of numbers is assigned to each cellular telephone unit within the network and, with each successive call placed, the next number in sequence is transmitted by the cellular telephone unit to the service provider station and recorded in the order received. When the call records are processed, if any call sequence number occurs more than once, or if the call sequence numbers are out of order, fraud or malfunction is indicated and the cause must be investigated. This method, however, has the disadvantage, inter alia, of requiring that the cellular telephone unit be modified to include additional equipment to generate and transmit the predetermined sequence of numbers. Consequently, the xe2x80x9ccall numberingxe2x80x9d method is incompatible with the large majority of existing telecommunication equipment that has not been modified.
Moreover, the call numbering method is unreliable. It has been found that the call number sequence may become disordered through normal legitimate use, by events such as early termination of the call or power failure, thereby resulting in false alerts.
Also of concern in telecommunication systems is the ability to effectively control or limit the risk of non-payment by a subscriber, whether or not associated with fraudulent activity, and the encouragement of system usage by subscribers who are able to pay for the service.
Therefore, a system which reliably and accurately indicates the possibility of fraudulent telecommunication activity, but which is flexible enough to permit legitimate use by a wide variety of subscribers, and which is compatible with all types of existing telecommunication equipment is needed.
It is an object of the present invention to provide a method and apparatus for detecting potentially fraudulent telecommunication activity by comparing current usage for a particular subscriber ID or calling card number with the particular subscriber""s historical pattern of usage. If current usage for that ID or calling card number indicates a deviation in the historical pattern of usage by the subscriber, a potential fraud is indicated.
In one embodiment of the invention, the particular subscriber""s usage is analyzed to determine parameters such as call duration (the average length in time of a call), call velocity (the number of calls placed within a specified time period), and call thresholds (the highest number of calls placed by the subscriber within a specified time period). One or more of these parameters is then compared to the particular subscriber""s historical pattern of usage. If there is abnormal usage relative to the subscriber""s historical pattern of usage, a potential fraud is indicated.
In one embodiment a particular subscriber""s usage is characterized as a plurality of moving averages, each calculated over a different specified number of days, which are then compared to each other to determine if a significant deviation in usage has occurred. When a significant deviation in usage is detected, a potential fraud is indicated.
In another embodiment, a significant deviation in usage is indicated when both of the following two conditions are satisfied: (1) a moving average calculated over a shorter number of days is greater than a moving average calculated over a longer number of days; and (2) the percentage increase between a moving average calculated on day (t) and the same moving average calculated on the prior day (txe2x88x921) exceeds a predetermined amount.
It is a further object of the present invention to provide a method and apparatus for detecting potentially fraudulent telecommunication activity by detecting an occurrence of overlapping calls. Overlapping calls are two or more calls which either (1) occur concurrently, or (2) are placed from different geographic regions and occur within a sufficiently short time interval such that it would be improbable that a single subscriber could place the first call and then travel to the location of the second call within the given time interval to place the second call. Because each unique subscriber ID or calling card number may typically only be used by a single subscriber from a single location at one time, fraud is indicated upon occurrence of either or both of these two conditions.
In one embodiment, the fraud detection apparatus looks at each call made by a particular subscriber to determine whether any two calls using the same subscriber ID or calling card number occurred substantially concurrently.
In another embodiment, the fraud detection apparatus adjusts each call for geographic dispersion to determine if two or more calls were placed using the same subscriber ID or calling card number from different geographic locations within a sufficiently short time interval such that travel between the two geographic locations within the given time interval is improbable.
It is a further object of the present invention to provide a method and apparatus for detecting potentially fraudulent telecommunication activity by comparing the particular subscriber""s present telecommunication usage with a predetermined call destination. If the predetermined subscriber-specific condition is satisfied, fraud is indicated.
In one embodiment, each number called using a particular subscriber ID or calling card number is compared to a predetermined list of numbers suspected of frequently being called by fraudulent users.
In a further embodiment, each country called using a particular subscriber ID or calling card number is compared to a predetermined list of countries suspected of frequently being called by fraudulent users.
Several of the above-mentioned objects are achieved by an apparatus comprising a digital computer; interface means for receiving a call information record for each call involving a particular subscriber; comparison means for comparing the particular subscriber""s current usage with a subscriber-specific historical pattern of usage; and output means for outputting an alert-state to signal a potentially fraudulent call based upon a result of the comparison performed by the comparison means.
It is also an object of the present invention to provide a method and apparatus to control or limit the risk of non-payment by a subscriber, whether such non-payment is associated with fraudulent activity or not. It is a further object to encourage subscribers that are able to pay to use the system. One embodiment of the invention includes an interface for communicating credit information on a particular subscriber with a credit bureau, which could be a traditional credit bureau or the carrier. Based upon the credit information, a credit limit for the subscriber is established by the apparatus. The interface also receives call records that are associated with the particular subscriber and are derived from a telecommunication switch, i.e., a device for establishing connections between telecommunication devices. An analysis device is also provided to compare the subscriber""s call usage to a credit limit established for the subscriber based upon the credit information obtained from the credit bureau. If the subscriber has exceeded their credit limit the apparatus utilizes an output device to indicate so to an operator or another device. Consequently, the carrier can limit risk of non-payment on a per subscriber basis and, conversely, encourage system usage and, as a consequence, revenue on a per subscriber basis with respect to those subscribers that are more able or likely to pay for the service.
In another embodiment, the apparatus updates the subscriber""s credit limit by obtaining an updated credit report or score for the subscriber from the credit bureau. Consequently, the subscriber""s credit limit can be lowered or the subscriber""s deposit requirement can be increased if the subscriber is becoming a greater credit risk, thereby limiting or reducing the risk of non-payment to the carrier. Conversely, the subscriber""s credit limit can be increased or the deposit requirement decreased if the subscriber is becoming a lower credit risk, thereby encouraging the subscriber to further utilize the system.
In yet a further embodiment, the apparatus is capable of adjusting the predetermined time interval for updating a subscriber""s credit limit. Consequently, the apparatus attempts to optimize or reduce the costs associated with obtaining credit reports or scores on subscribers. This is especially important in systems with large numbers of subscribers.
These and other features of the present invention will become evident from the detailed description set forth hereafter with reference to the accompanying drawings.